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^ , Abstract 

I A temporal logic is presented for reasoning about the correctness of timed concurrent constraint 

QQ ■ programs. The logic is based on modalities which allow one to specify what a process produces as 

' a reaction to what its environment inputs. These modalities provide an assumption/commitment 

style of specification which allows a sound and complete compositional axiomatization of the reactive 
behavior of timed concurrent constraint programs. 
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1 Introduction 

^ I Many "real-life" computer applications maintain some ongoing interaction with external physical pro- 
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cesses and involve time-critical aspects. Characteristic of such applications, usually called real-time 
embedded systems, is the specification of timing constraints such as, for example, that an input is re- 
■ quired within a bounded period of time. Typical examples of such systems are process controllers and 

I signal processing systems. 

, In Q tccp, a timed extension of the pure formalism of concurrent constraint programming ( p5[| ) , is 

■""^ ' introduced. This extension is based on the hypothesis of bounded asynchrony (as introduced in ||27[|): 

^ , Computation takes a bounded period of time rather than being instantaneous as in the concurrent 

synchronous languages ESTEREL ^, LUSTRE SIGNAL |^ and Statecharts Time itself is measured 
by a discrete global clock, i.e, the internal clock of the tccp process. In |^ we also introduced timed reactive 
' sequences which describe at each moment in time the reaction of a tccp process to the input of the external 

^ , environment. Formally, such a reaction is a pair of constraints (c, d), where c is the input given by the 

environment and d is the constraint produced by the process in response to the input c (such a response 
includes always the input because of the monotonicity of ccp computations). 

In this paper we introduce a temporal logic for describing and reasoning about timed reactive sequences. 
The basic assertions of the temporal logic describe the reactions of such a sequence in terms of modalities 
which express either what a process assumes about the inputs of the environment and what a process 
commits to, i.e., has itself produced at one time-instant. These modalities thus provide a kind of as- 
sumption/commitment style of specification of the reactive behavior of a process. The main result of this 
paper is a sound and complete compositional proof system for reasoning about the correctness of tccp 
programs as specified by formulas in this temporal logic. 

The remainder of this paper is organized as follows. In the next section we introduce the language tccp 
and its operational semantics. In Section 3 we introduce the temporal logic and the compositional proof 
system. In Section 4 we discuss soundness and completeness of the proof system. Section 5 concludes 
by discussing related work and indicating future research. A preliminary, short version of this paper 
appeared in 0. 
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2 The programming language 



In this section we first define the tccp language and then we define formally its operational semantics by 
using a transition system. 

Since the starting point is ccp, we introduce first some basic notions related to this programming 
paradigm. We refer to for more details. The ccp languages are defined parametrically wrt 

to a given constraint system. The notion of constraint system has been formalized in |26 following 
Scott's treatment of information systems. Here we only consider the resulting structure. 



Definition 2.1 A constraint system is a complete algebraic lattice (C, <, U, true, false) where U is the 
lub operation, and true, false are the least and the greatest elements of C, respectively. 



Following the standard terminology and notation, instead of < we will refer to its inverse relation, denoted 
by h and called entailment. Formally, Vc, d £ C. ch d <^ d < c. In order to treat the hiding operator 
of the language a general notion of existential quantifier is introduced which is formalized in terms of 
cylindric algebras | p^ . Moreover, in order to model parameter passing, diagonal elements are added 
to the primitive constraints. This leads to the concept of a cylindric constraint system. In the following, 
we assume given a (denumerable) set of variables Var with typical elements x, y,z, . . .. 



Definition 2.2 Let (C, <, U, true, false) be a constraint system. Assume that for each x G Var a function 
3a; : C — > C is defined such that for any c,d E C: 

(i) c h 3^{c), (ii) if c h d then 3^{c) h 3^{d), 

(iii) 3,(cU3,(d)) = 3a;(c)u3,(d), (iv) 3,{3yic)) = 3y{3,{c)). 

Moreover assume that for x, y ranging in Var, C contains the constraints dxy (so called diagonal elements) 
which satisfy the following axioms: 

(v) true h d^x, (vi) ii x,y then d^y = 3^{dx^ U d^y), 

(vii) li X ^ y then d^y U 33,(0 U d^y) l~ c. 

Then C — {C, <,\J, true, false, Var,3x, d^y) is a cylindric constraint system. 



Note that if C models the equality theory, then the elements dxy can be thought of as the formulas x — y. 
In the sequel we will identify a system C with its underlying set of constraints C and we will denote 3^ (c) 
by 3x0 with the convention that, in case of ambiguity, the scope of 3^: is limited to the first constraint 
sub-expression (so, for instance, 3^0 U d stands for 3x{c) U d). 

The basic idea underlying ccp is that computation progresses via monotonic accumulation of information 
in a global store. Information is produced by the concurrent and asynchronous activity of several agents 
which can add (tell) a constraint to the store. Dually, agents can also check (ask) whether a constraint is 
entailed by the store, thus allowing synchronization among different agents. Parallel composition in ccp 
is modeled by the interleaving of the basic actions of its components. 

When querying the store for some information which is not present (yet) a ccp agent will simply suspend 
until the required information has arrived. In timed applications however often one cannot wait indef- 
initely for an event. Consider for example the case of a bank teller machine. Once a card is accepted 
and its identification number has been checked, the machine asks the authorization of the bank to release 
the requested money. If the authorization does not arrive within a reasonable amount of time, then the 
card should be given back to the customer. A timed language should then allow us to specify that, in 
case a given time bound is exceeded (i.e. a time-out occurs), the wait is interrupted and an alternative 
action is taken. Moreover in some cases it is also necessary to abort an active process A and to start a 
process B when a specific event occurs (this is usually called preemption of A). For example, according 
to a typical pattern, A is the process controlling the normal activity of some physical device, the event 
indicates some abnormal situation and B is the exception handler. 
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In order to be able to specify these timing constraints in ccp we introduce a discrete global clock and 
assume that ask and tell actions take one time-unit. Computation evolves in steps of one time-unit, 
so called clock-cycles. We consider action prefixing as the syntactic marker which distinguishes a time 
instant from the next one. Furthermore we make the assumption that parallel processes are executed on 
different processors, which implies that at each moment every enabled agent of the system is activated. 
This assumption gives rise to what is called maximal parallelism. The time in between two successive 
moments of the global clock intuitively corresponds to the response time of the underlying constraint 
system. Thus essentially in our model all parallel agents are synchronized by the response time of the 
underlying constraint system. 

Furthermore, on the basis of the above assumptions we introduce a timing construct of the form now 
c then A else B which can be interpreted as follows: If the constraint c is entailed by the store at the 
current time t then the above agent behaves as A at time t, otherwise it behaves as B at time t. As shown 
in 1^, ^ this basic construct allows one to derive such timing mechanisms as time-out and preemption. 
Thus we end up with the following syntax of timed concurrent constraint programming. 

Definition 2.3 [tccp Language |^] Assuming a given cylindric constraint system C the syntax of agents 
is given by the following grammar: 

A ::= tell(c) | X^r^i ask(c,;) -> A, \ now c then A else B\A\\B\ 3xA \ p{x) 

where the c, Ci are supposed to be finite constraints (i.e. algebraic elements) in C. A tccp process P is 
then an object of the form D.A, where D is a set of procedure declarations of the form p{x) :: A and A 
is an agent. 

Action prefixing is denoted by — », non-determinism is introduced via the guarded choice construct 
^"^-^ ask(ci) Ai, parallel composition is denoted by ||, and a notion of locality is introduced by 
the agent 3xA which behaves like A with x considered local to A, thus hiding the information on x pro- 
vided by the external environment. In the next subsection we describe formally the operational semantics 
of tccp. In order to simplify the notation, in the following we will omit the X]r=i whenever n = 1 and 
we will use tell(c) — > j4 as a shorthand for tell(c) || (ask(trwe) ^ A). In the following we also assume 
guarded recursion, that is we assume that each procedure call is in the scope of an ask construct. This 
assumption, which does not limit the expressive power of the language, is needed to ensure a proper 
definition of the operational semantics. 

2.1 Operational semantics 

The operational model of tccp can be formally described by a transition system T — (Conf , — >) where 
we assume that each transition step takes exactly one time- unit. Configurations (in) Conf are pairs 
consisting of a process and a constraint in C representing the common store. The transition relation 
— >C Conf X Conf is the least relation satisfying the rules Rl-RlO in Table |l| and characterizes the 
(temporal) evolution of the system. So, {A,c) — > {B,d) means that if at time t we have the process A 
and the store c then at time t + 1 we have the process B and the store d. 

Let us now briefly discuss the rules in Table |l|. In order to represent successful termination we introduce 
the auxiliary agent stop: it cannot make any transition. Rule Rl shows that we are considering here 
the so called "eventual" tell: The agent tell(c) adds c to the store d without checking for consistency 
of c U d and then stops. Note that the updated store cLi d will be visible only starting from the next 
time instant since each transition step involves exactly one time- unit. According to rule R2 the guarded 
choice operator gives rise to global non-determinism: The external environment can affect the choice 
since ask(cj) is enabled at time t (and Aj is started at time t + 1) iff the store d entails Cj, and d can 
be modified by other agents. The rules R3-R6 show that the agent now c then A else B behaves 
as A or B depending on the fact that c is or is not entailed by the store. Differently from the case of 
the ask, here the evaluation of the guard is instantaneous: If {A,d) {{B,d)) can make a transition at 
time t and c is (is not) entailed by the store d, then the agent now c then A else B can make the 
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Rl (tell(c), rf) — y (stop, cUd) 

^-2 ask(ci) A,,d) — > (A^-, d) j e [1, n] and rf h 



R4 ^ d h c 



R8 



R9 





(now 


c then A else i?, d) — 


-{A',d') 




{A,d) ^ 




(now 


c then ^ else B, d) — 


-{A,d) 




{B,d) — > {B',d') 




(now 


c then A else B, d) — 


-{B\d') 




(S,d) ^ 




(now 


c then ^ else B, d) — 


- {B,d) 


(Ac)- 


^{A',c') {B,c)^ 


{B',d') 



(now c then A else B, d) ^ {B' , d') ^ 

R7 



(A II B,c) — > (A' II B',c'Ud') 

{A,c)^{A\c') {B,c)y^ 
{A II i?,c)— .(A' II B,c') 
{B \\A,c)^{B\\A\c') 

{A,dU3.,c) {B,d') 
{3'^xA,c) — > {3'^'xB,cU3^d') 



(A,c) {B,d) ■■ AeD 



Table 1: The transition system for tccp. 



same transition at time t. Moreover, observe that in any case the control is passed either to A (if c is 
entailed by the current store d) or to B (in case d does not entail c) . Rules R7 and R8 model the parallel 
composition operator in terms of maximal parallelism: The agent A || -B executes in one time- unit all the 
initial enabled actions oi A and B. Thus, for example, the agent A : (ask(c) stop) || (tell(c) — + stop) 
evaluated in the store c will (successfully) terminate in one time-unit, while the same agent in the empty 
store will take two time-units to terminate. The agent 3xA behaves like A, with x considered local to 
A, i.e. the information on x provided by the external environment is hidden to A and, conversely, the 
information on x produced locally by A is hidden to the external world. To describe locality in rule R9 
the syntax has been extended by an agent 3'^xA where d is a local store of A containing information on 
X which is hidden in the external store. Initially the local store is empty, i.e. 3xA = 3*™''xA. 

Rule RIO treats the case of a procedure call when the actual parameter equals the formal parameter. 
We do not need more rules since, for the sake of simplicity, here and in the following we assume that 
the set D of procedure declarations is closed wrt parameter names: That is, for every procedure call 
p(y) appearing in a process D.A we assume that if the original declaration for p in D is p(x):: A then D 
contains also the declaration p[y) ::El2;(tell(d3;y) || ^)|^. 

Using the transition system described by (the rules in) Table ^ we can now define our notion of observables 

^Here the (original) formal parameter is identified as a local alias of the actual parameter. Alternatively, wo could have 
introduced a new rule treating explicitly this case, as it was in the original ccp papers. 
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which associates with an agent a set of timed reactive sequences of the form 



(ci,di) • • ■ (c„,d, 



"n 



){d,d) 



where a pair of constraints {ci,di) represents a reaction of the given agent at time i: Intuitively, the 
agent transforms the global store from Ci to di or, in other words, Ci is the assumption on the external 
environment while di is the contribution of the agent itself (which includes always the assumption). The 
last pair denotes a "stuttering step" in which no further information can be produced by the agent, thus 
indicating that a "resting point" has been reached. 

Since the basic actions of tccp are monotonic and we can also model a new input of the external environ- 
ment by a corresponding tell operation, it is natural to assume that reactive sequences are monotonically 
increasing. So in the following we will assume that each timed reactive sequence (ci, di) • • • (c„_i, c?„_i) (c„, c„) 
satisfies the following condition: di h Ci and Cj h dj-i, for any i e — 1] and j G [2,n]. Since the 
constraints arising from the reactions are finite, we also assume that a reactive sequence contains only 
finite constraints^. 

The set of all reactive sequences is denoted by S and its typical elements by s, si . . ., while sets of reactive 
sequences are denoted by S", S*! . . . and e indicates the empty reactive sequence. Furthermore, • denotes the 
operator which concatenates sequences. Operationally the reactive sequences of an agent are generated 
as follows. 

Definition 2.4 Wc define the semantics R G Agent 'P{S) by 



Note that R{A) is defined as the union of the set of all reactive sequences which start with a reaction of 
A and the set of all reactive sequences which start with a stuttering step of A. In fact, when an agent is 
blocked, i.e., it cannot react to the input of the environment, a stuttering step is generated. After such a 
stuttering step the computation can either continue with the further evaluation of A (possibly generating 
more stuttering steps) or it can terminate, as a "resting point" has been reached. These two case are 
reflected in the second part of the definition of R{A) by the two conditions w G R{A) and w G {e}, 
respectively. Note also that, since the stop agent used in the transition system cannot make any move, 
an arbitrary (finite) sequence of stuttering steps is always appended to each reactive sequence. 

Formally R is defined as the least fixed-point of the corresponding operator $ G {Agent ^{S)) 
Agent — > V{S) defined by 



The ordering on Agent ViS) is that of (point-wise extended) set-inclusion (it is straightforward to 
check that $ is continuous). 

3 A calculus for tccp 

In this section we introduce a temporal logic for reasoning about the reactive behavior of tccp programs. 
We first define temporal formulas and the related notions of truth and validity in terms of timed reactive 
sequences. Then we introduce the correctness assertions that we consider and a corresponding proof 
system. 

^Notc that here we implicitly assume that if c is a finite element then also is finite. 



R{A) 



{(c, d) -w eS \ {A,c) ^ (B, d) and w G R{B)} 

U 

{(c, c) - w eS\{A,c) ~h and w G R{A) U {e}}. 



m{A) 



{(c, d) -w (zS\{A,c) (B, d) and w G I{B)} 
U 

{(c, c) ■ w £ S \ {A,c) and w G I{A) U {e}}. 
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3.1 Temporal logic 



Given a set M, with typical element X,Y,.. ., of monadic constraint predicate variables, our temporal 
logic is based on atomic formulas of the form X{c), where c is a constraint of the given underlying 
constraint system. The distinguished predicate / will be used to express the "assumptions" of a process 
about its inputs, that is, /(c) holds if the process assumes the information represented by c is produced 
by its environment. On the other hand, the distinguished predicate O represents the output of a process, 
that is, 0{c) holds if the information represented by c is produced by the process itself (recall that the 
produced information includes always the input, as previously mentioned). More precisely, these formulas 
/(c) and 0{c) will be interpreted with respect to a reaction which consists of a pair of constraints (c, d), 
where c represents the input of the external environment and d is the contribution of the process itself 
(as a reaction to the input c) which always contains c (i.e. such that d> c holds). 

An atomic formula in our temporal logic is a formula as described above or an atomic formula of the 
form c< d which 'imports' information about the underlying constraint system, i.e., c< d holds if d I- c. 
Compound formulas are constructed from these atomic formulas by using the (usual) logical operators of 
negation, conjunction and (existential) quantification and the temporal operators Q (the next operator) 
and U (the until operator). We have the following three different kinds of quantification: 

• quantification over the variables x,y,. . . of the underlying constraint system; 

• quantification over the constraints c,d,... themselves; 

• quantification over the monadic constraint predicate variables X,Y, — 

Variables p,q,. . . will range over the constraints. We will use V,W,..., to denote a variable x of the 
underlying constraint system, a constraint variable p or a constraint predicate X. 

Definition 3.1 [Temporal formulas] Given an underlying constraint system with set of constraints C, 
formulas of the temporal logic are defined by 

(f)::=p<q \ X{c) \ ^(j) \ A | 3V(/) | Q cj) \ (f)U 

In the sequel we assume that the temporal operators have binding priority over the propositional con- 
nectives. We introduce the following abbreviations: c — d stands for c < d A d < c, 0(j) for true hi (j) and 
□0 for -lO-i^. We also use ^ V -0 as a shorthand for -•(-'0 A ^tp) and </> — > ^ as a shorthand for -i^ V ip. 
Finally, given a temporal formula <p, we denote by FV{(I)) {FVconstr {(!>)) the set of the free (constraint) 
variables of (p. 

Definition 3.2 Given an underlying constraint system with set of constraints C, the truth of an atomic 
formula X{c) is defined with respect to a predicate assignment v & M ^ C which assigns to each monadic 
predicate X a constraint. We define 

V ^ X{c) ifviX) h c. 

Thus X(c) holds if c is entailed by the constraint represented hy X . In other words, a monadic constraint 
predicate X denotes a set {d | d\- c} for some c. We restrict to constraint predicate assignments which 
are monotonic in the following sense: v{0) h v{I). In other words, the output of a process contains its 
input. 

The temporal operators arc interpreted with respect to finite sequence p = vi, . . . ,Vn of constraint 
predicate assignments in the standard manner: 00 holds if </> holds in the next time-instant and (j)U ip 
holds if there exists a future moment (possibly the present) in which i/' holds and until then (j) holds. We 
restrict to sequences p = v\, . . . ,Vn which are monotonic in the following sense: for 1 < i < n, we have 

• Vij^i{X) h Vi{X), for every predicate X; 
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. Vi+i{I)hvi{0). 



The latter condition requires that the input of a process contains its output at the previous time-instant. 
Note that these conditions corresponds with the monotonicity of reactive sequences as defined above. 

In order to define the truth of a temporal formula we introduce the following notions: given a finite 
sequence p = of predicate assignments, we denote by l{p) = n the length of p and pi = Vi, 

1 < i < n. We also define p < p' if p is a proper suffix of p' {p < p' if p < p' or p = p'). Given a variable 
X of the underlying constraint systems and a predicate assignment v we define the predicate assignment 
3xv by 3xv{X) = 3xd, where d = v{X). Given a sequence p = vi, . . . ,Vn, we denote by 3xp the sequence 
3xvi, . . . ,3xVn- Moreover, given a monadic constraint predicate X and a predicate assignment v we 
denote by 3Xv the restriction of f to M \ {X}. Given a sequence p = Vi,. . . , Vn, we denote by 3Xp the 
sequence 3Xvi, . . . , 3Xvn- Furthermore, by 7 we denote a constraint assignment which assigns to each 
constraint variable p a constraint 7(p). Finally, 'y{c/p} denotes the result of assigning in 7 the constraint 
c to the variable p. 

Moreover, we assume that time does not stop, so actually a finite sequence Vi - ■ - Vn represents the 
infinite sequence Vi ■ ■ ■ Vn,Vn,Vn ■ ■ ■ with the last element repeated infinitely many times. Formally, this 
assumption is reflected in the following definition in the interpretation of the Q- By a slight abuse of 
notation, given a sequence p = vi - ■ - Vn with n > 1 we define Qp as follows 

(n = 1) O^^i = vi 

(n > 1) OP = V2---Vn- 

The truth of a temporal formula is then defined as follows. 

Definition 3.3 Given a sequence of predicate assignments p = Vi,V2, ■ ■ ■ ,Vn, a constraint assignment 7 
and <p a temporal formula, we define p \=j (j) by: 

by: 





if 


7(9) ^ lip) 


p K ^(c) 


if 


Pi h Xic) 


P Ht 


if 


P^jCj) 


p\=^ (/>! A (j)2 


if 


p \=y (f)i and p ^7 (t>2 


p 3x(f> 


if 


p' \=y (j), for some p' s.t. 3xp = 3xp' 


P Nt 


if 


p' (j), for some p' s.t. 3Xp = 3Xp' 


P 1=7 ^P(l> 


if 


p 1=7' (j), for some c s.t. 7' = 7{c/p} 


P ho 00 


if 


Op \=i 4> 


P (j)U Xp 


if 


for some p' < p, p' |=-y tp and for all p' < p" < p, p" 



Moreover p \= (j) iS p \=j cj) for every constraint assignment 7. 

Definition 3.4 A formula </> is valid, notation \= (p, iS p \= (j) for every sequence p of predicate assign- 
ments. 

We have the validity of the usual temporal tautologies. Monotonicity of the constraint predicates wrt 
the entailment relation of the underlying constraint system is expressed by the formula 

ypyqyX{p < q ^ {X{q) ^ X{p))). 

Monotonicity of the constraint predicates wrt time implies the validity of the following formula 

VpVX(X(p) ^ ax{p)). 

The relation between the distinguished constraint predicates I and O is logically described by the laws 

MHp) ^ 0{p)) andVp(0(p) ^ 01{p)), 
that is, the output of a process contains its input and is contained in the inputs of the next time-instant. 
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3.2 The proof-system 



We introduce now a proof-system for reasoning about the correctness of tccp programs. We first define 
formally the correctness assertions and their validity. 

Definition 3.5 Correctness assertions are of the form A sat cj), where A is a tccp process and is a 
temporal formula. The validity of an assertion A sat (p, denoted by |= A sat cj), is defined as follows 

\^ A sat (j) iS p \= 4>, for aU p e R'{A), 

where 

R'iA)^{vi,...,Vn\ (vi{I),vi{0))---Ml),Vn{0)) eR{A) }. 

Roughly, the correctness assertion A sat (j) states that every sequence p of predicate assignments such 
that its 'projection' onto the distinguished predicates / and O generates a reactive sequence of A, satisfies 
the temporal formula cj). 



tell(c) sat 0(c) A yp{0{p) 3q{I{q) AqUc = p)) A QDstut 

Ai sat G [1, n] 

n n n n 

^ ask(c,) -> Ai sat V (( A ^^-J ^ ^ ^ ^ 00^)) /\ "'^ ^ ^tut) 

i — l i—1 i—1 j — 1 

A sat (j) B sat ijj 
now c then A else B sat {1(c) A 0) V (^/(c) A ip) 

A sat (f) 

3xA sat 3x{4> A loc{x)) A inv{x) 

A II B sat 3X, Ym/0\ A A pariX, Y)) X,Y ^ FV^ U FV^, X ^ Y 

''^''^TixUatV''^ declared as A 

A sat (j) \^ (p ^ ip 
A sat -0 



Table 2: The system TL for tccp. 



Table ^ presents the proof-system. 

Axiom Tl states that the execution of tell(c) consists of the output of c (as described by 0(c)) together 
with any possible input (as described by I{q))- Moreover, at every time-instant in the future no further 
output is generated, which is expressed by the formula 

Vp(0(p)^/(p)), 

which we abbreviate by stut (since it represents stuttering steps). 

In rule T2 stands for /(c.;). Given that Ai satisfies 0^, rule T2 allows the derivation of the specification 
for I]"^j^ask(ci) — > Ai, which expresses that either eventually Ci is an input and, consequently, (pi holds 
in the next time-instant (since the evaluation of the ask takes one time- unit), or none of the guards is 
ever satisfied. 
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Rule T3 simply states that if A satisfies (j> and B satisfies ip then every computation of now c then A else B 
satisfies either (/) or "0, depending on the fact that c is an input or not. 

Hiding of a local variable x is axiomatized in rule T4 by first existentially quantifying x in (j)/\loc{x), where 
loc{x) denotes the following formula which expresses that x is local, i.e., the inputs of the environment 
do not contain new information on x: 

M^xP ^V^ hl{p) A 0{01{p) 3r{0{r) A3,pUr= p)))). 

This formula literally states that the initial input does not contain information on x and that everywhere 
in the computation if in the next state an input contains information on x then this information is already 
contained by the previous output. Finally, the following formula inv{x) 

Vpa{3^p ^p^ {0{p) ^ 3r(/(r) A 3^p Ur= p))) 

states that the process does not provide new information on the global variable x. 

Rule T5 gives a compositional axiomatization of parallel composition. The 'fresh' constraint predicates 
X and Y are used to represent the outputs of A and B, respectively (0[X/O] and il;[Y/0] denote the 
result of replacing O hy X and Y). Additionally, the formula 

ypD{0{p) ^ g2(^(gi) A Ffe) A gi U 92 - p))), 

denoted by par{X,Y), expresses that every output of A \\ B can be decomposed into outputs of A and 
B. 

Rule T6, where hp denotes derivability within the proof system, describes recursion in the usual manner 
by using a meta-rule (Scott-induction, see also D): we can conclude that the agent p{x) satisfies a 
property (j) whenever the body of p{x) satisfies the same property assuming the conclusion of the rule. 
In this rule x is assumed to be both the formal and the actual parameter. We do not need more rules 
since, as previously mentioned, we can assumed that the set D of procedure declarations is closed wrt 
parameter names. 

Note also that, for the sake of simplicity, we do not mention explicitly the declarations in the proof 
system. In fact, the more precise formulation of this rule, that will be needed in the proofs, would be the 
following: 

D \ {p}.p{x) sat (jj^p D\ {p}.A sat 
D.p(x) sat 4> 

Rule T7 allows to weaken the specification. 

As an example of a sketch of a derivation consider the agent 3xA where 

A :: ask(x — a) ^ te\\{true) 

+ 

ask(true) tell{y — h). 
(constraints are equations on the Herbrand universe). By Tl and T7 we derive 
tell(y = h) sat 0{y — b) and tell(<:rue) sat 0{true). 

By T2 and T7 we subsequently derive 

A sat I{x = a) V 00{y h) 

(note that -il{true) is logically equivalent to false and false U (j) is equivalent to (p). Using rule T4, we 
derive the correctness assertion 

3xA sat 3x{{I{x = a) V 00{y = b)) A loc{x)). 

It is easy to see that I{x = a) A loc{x) implies false. So we have that 3x{{I{x = a) V Q)0{y — b)) A loc{x)) 
implies 3x{loc{x) AQO{y — b)). Clearly this latter formula implies C)0{y = b). Summarizing the above, 
we obtain a derivation of the correctness assertion 3xA sat Q)0{y = b) which states that in every reactive 
sequence of 3xA the constraint y = 6 is produced in the next (wrt the start of the sequence) time instant. 
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4 Soundness and completeness 



We investigate now soundness and completeness of the above calculus. Here and in the following, in order 
to clarify some technical details, we consider processes of the form D.A rather than agents of the form 
A with a separate set of declarations D. All the previous definitions can be extended to processes in the 
obvious way. We also denote by hp D.A sat 4> the derivability of the correctness assertion D.A sat <j> in 
the proof system introduced in the previous section (assuming as additional axioms in rule T7 all valid 
temporal formulas). 

Soundness means that every provable correctness assertion is valid: whenever hp D.A sat 0, i.e. D.A sat (j) 
is derivable, then \= D.A sat (j). Completeness on the other hand consists in the derivability of every 
valid correctness assertion: whenever |= D.A sat <j) then hp D.A sat (p (in T). 

At the heart of the soundness and completeness results that we are going to prove lies the compositionality 
of the semantics R', which follows from the compositionality of the underlying semantics R. In order to 
prove such a compositionality, we first introduce a denotational semantics |D.^](e) where, for technical 
reasons, we represent explicitly the environment e which associate a denotation to each procedure iden- 
tifier. More precisely, assuming that Pvar denotes the set of procedure identifier, Env = Pvar — > p{S), 
with typical element e, is the set of environments. 

Given a process D.A, the denotational semantics 1-0.^4] : Env p{S) is defined by the equations 
in Table ^, where /i denotes the least fixpoint wrt subset inclusion of elements of p{S). The semantic 
operators appearing in Table |^ are formally defined as follows. Intuitively they reflect, in terms of reactive 
sequences, the operational behaviour of their syntactic counterparts. 

Definition 4.1 Let S,Si be sets of reactive sequences and c,Ci be constraints. Then we define the 
operators |j, now and 3x as follows: 

Guarded Choice 

~ n 

Ci Si — {s • s' e iS I s = ((ii, di) ••• (dm, dm), 1/ Ci for each j G [1, m-l], i G [1, n], 
d„i h Ch and s' E Sh for an h G [1, } 

U 

{s G 5 I s = (di, di) • • • {dm,dm),dj \f q for each j G [l,m], i G [l,n]}, 

Parallel Composition Let || G 5 XiS ^ 5 be the (commutative and associative) partial operator defined 
as follows: 

(ci,di) • • • (c„,d„)(d,d)||(ci,ei) • • • (c„,e„)(d,d) = (ci,di U ei) • • • (c„,d„ U e„)(d,d). 

We define S'i||S'2 as the point-wise extension of the above operator to sets. 
The Now- Operator 

now{c, Si, S2) — {s E S \ s — (c', d) • s' and cither c' h c and s E Si or c' \/ c and s E S2 }. 

The Hiding Operator We first need the following notions similar to those used in |^: 

Given a sequence s — {ci, di) ■ ■ ■ {cn, c„), we denote by 3xs the sequence {3xci, 3xdi) ■ ■ ■ (3xc„, 3xc„). 

A sequence s' = (ci, di) • ■ • (c„, c„) is x-connected if 

• 3xCi = ci (that is, the input constraint of s' does not contain information on x) and 

• 3xCi Udi-i = Ci for each i G [2,7i] (that is, each assumption Ci does not contain any information on 
X which has not been produced previously in the sequence by some dj). 

A sequence s is x-invariant if 
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• for all computation steps (c, d) oi s, d = B^dU c holds. 

The semantic hiding operator then can be defined as follows: 

3xS = {s G iS I there exists s' € S such that 3xS — 3xs' , s' is x-connected and s is x-invariant}. 

- 7?, 

A few explanations are in order here. Concerning the semantic choice operator, a sequence in 22i=i'^i ~* 
consists of an initial period of waiting for (a constraint stronger than) one of the constraints Ci . During 
this waiting period only the environment is active by producing the constraints di while the process itself 
generates the stuttering steps {di, di). Here we can add several pairs since the external environment can 
take several time- units to produce the required constraint. When the contribution of the environment is 
strong enough to entail a Ch the resulting sequence is obtained by adding s' G Sh to the initial waiting 
period. 

In the semantic parallel operator defined on sequences we require that the two arguments of the operator 
agree at each point of time with respect to the contribution of the environment (the q's) and that they 
have the same length (in all other cases the parallel composition is assumed being undefined). 

In the definition of 3 we say that a sequence is x-connected if no information on x is present in the input 
constraints which has not been already accumulated by the computation of the agent itself. A sequence 
is x-invariant if its computation steps do not provide more information on x. 

If D.A is a closed process, that is if all the procedure names occurring in A are defined in D, then 
|D.A](e) does not depend on e and will be indicated as l-D.A]. Environments in general allows us to 
defined the semantics also of processes which are not closed, and this will be used in the soundness proof. 

The following result shows the correspondence between the two semantics we have introduced and there- 
fore the compositionality of R{A). 

Theorem 4.2 If D.A is closed then R{A) ^ {D.Aj holds. 

El |D.stop](e) = {(ci,ci)(c2,C2) G S \ n > 1} 

E2 |D.tell(c)](e) = {{d,dUc) • s e 5 | s G [Li.stopKe)} 

E3 I^.E:=jask(cO ^ A^ie) = f^l^.e, ^ [D.A,l{e) 

E4 |D.now c then A else B\{e) = ndw(c, |D.^](e), |D.S](e)) 

E5 {D.A II Blie) = {D.AHe) \\ lD.B\{e) 

E6 lD.3xAl{e) = 3x|D.yl](e) 

E7 I7?.p(x)](e)-M* 

where *(/) = {D \ {p].Al{e{} /p]), p{x) :: A e D 



Table 3: The semantics lD.A]{e). 

In order to prove the soundness of the calculus we have to interpret also correctness assertions about 
arbitrary processes (that is, including processes which do contain undefined procedure variables). 
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Definition 4.3 Given a underlying constraint system C and an environment e, we define |=e D.A sat (f> 
iff 

ph0, for allpe [i?.A]'(e), 

wtiere 

p.Al'(e) = {v,, ...,vn\ {viil), v,{0)) ■ ■ ■ («„(/), vn{0)) G lD.Aj{e) }. 

Note ttiat, for closed processes, \=e coincides with \= as previously defined. We first need the following 
Lemma. 

Lemma 4.4 Let (f> be a temporal formula, p and p' be sequences of predicate assignment and let V be a 
variable such that either V £ M or V is a variable x of the underlying constraint system. The following 
holds: 

1. Assume that p\= (j). Then p' \= 3V(j) for each p' such that 3Vp = 3Vp' . 

2. Assume that p \= BVcj) and FVconstr{4') = ^- Then there exists p' such that p' \= (j) and 3Vp' = 3Vp. 
Proof 



1. Assume that p \= 4>. By Definition 3.3, p (/> for each 7 and then for each p' such that 3Vp — 3Vp', 
we have that p' 3V(j) for each 7. Therefore, by Definition 3.3, p' ^ 3V(f>. 



2. Assume that p ^ 3V(j) and FVconstr{4') = By Definition 3.3, p 3V(j) for each 7. Then by 
Definition |]^, for each 7 there exists p' such that 3Vp = 3Vp' and p' (j). Since by hypothesis 
FVconstr{4') = 0) whenever p' ip we also have that p' ^ (p a-nd then the thesis holds. 

The following Theorem is the core of the soundness result. 

Theorem 4.5 Let us denote Di.Ai by Pi for 1 < i < n and D.A by P. If 

Pi sat 01, . . . , P„ sat 4>n l^p P sat <f) and |=e Pi sat (pi, 

for i — 1, . . . , n, then 

|=e P sat (p. 

Proof The proof is by induction on the length I of the derivation. 

(/ = 1) In this case A = tell(c) and hp D.teU{c) sat 0(c) A Vp(0(p) 3q{I{q)AqUc = p))AOnstut. By 
Definition we have to prove that for any e, p |= 0{c) A'ip{0(p) 3q{I{q) /\qUc = p)) /\Q)Ustut, 
for aU p G [D.te\\{c)\'{e). By equation E2 of Table | and Definition gj, 

|i?.tell(c)]'(e) = {p I pi{0) = Uc and p,(0) for i e [2,Z(p)]}. 

The remaining of the proof for this case is straightforward. 

{I > 1) We distinguish various cases according to the last rule applied in the derivation. 

Rule T2. In this case hp D. X]"=i ask(ci) Ai sat x, where x is the formula 

n n n 

V ((A "'-^(•^j) ^ *^"*) ^ (-^(•^») ^ ^ O'/'j)) V □(/\ -'/(cj) A stut). 

1=1 j=i j=i 

Since for each i £ [1, n] the proof D.Ai sat (pi is shorter than the current one, from the inductive 
hypothesis follows that, for every environment e and for each i £ He D.Ai sat (pi, that 

is p H ^i. for aU p e lD.A,Yie). 
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Let us take a particular e. By Definition 4.3, we have to prove that p |= x, for all p £ 
P-Er=iask(c.)^A,l'(e). 



By equation E3 of Table | and Definitions |^ and U, {D.YJ^^^Bsk{ci) ^ A,]'(e) = Di\JD2, 
where 

Di = {p- p' \ Pj{0) — pj{I) and Pj{I) 1/ Q for each j e [1, l{p) — 1], i e [1, n] 

Pi(p)(-^) ^ c/i, Pi(p)(0) = /9i(p)(/) and p' e {D.Ahfie) for an h & [l,n]} and 
L)2 = {/5 I PjiO) = Pj{I) and 1/ q for each j e [1, ^(/ci)], « G [1, n]} 

Now, it is straightforward to prove that li p £ D2 then p |= ~'^(cj) A stut). Moreover, 

since by inductive hypothesis for each i £ [1, n], |=e -D-A^ saf 0^, we have that if p G Di then 
P h Vr=i ((A"=i ^^(cj) A siut) (/(q) a stut A O'/'^)) and then the thesis. 
Rule T3 In this case hp now c then A else B sat (/(c) A 0) V (~'/(c) A Since the proofs 
A sat (j) and i? sat ip are shorter than the current one, the induction hypothesis says that for 
every environment e, we have that |=e D.A sat (j) and D.B sat -0 i.e. p \^ 4> and p' |= ■0 for 
all p e ^.^^(e) and p' G Ii:».Sl'(e). 

Let us take a particular e. By Definition |4!^, we have to prove that p |= (/(c) A </>) V (-'/(c) A -(/;) 
for all p G |/?.now c then A else i3]'(e). Now the proof is immediate, by observing that by 
equation E4 of Table || and Definitions ^ and |/?.now c then A else /?]'(e) = /?i U L'2, 



where 

/)i = {/9 I /9i(/) h c and p G ^.^^(e)} and 
^2- {p'|pi(^)^candp'Gp./?]'(e)}. 

Rule T4 In this case \-p 3xA sat 3x(0 A loc{x)) A inv{x). Since the proof A sat </> is shorter than 
the current one, the induction hypothesis says that for every environment e, |= e D .A sat (j) 
i.e. p' \= 4> for all p' G |/?.^]'(e). Let us consider a particular e. By Definition [4.3| , we have 
to prove that p \= 3 x{(j) A loc {x)) A inv{x), for all p G |/?.Ela;A]'(e). By equation E6 of Table || 



and Definitions 11 and |4.3| , p G |/).3a;^]'(e) if and only if there exists p' G |/).A]'(e) such 
that l{p) — l{p') and the following conditions hold 

1. for each i G [l,^(p)], 3xpi{I) ~ 3xp[{I) and 3xpi{0) = 3xp[{0), 

2. 3xp[{I) = p[{I) and for each ^ G [2,l{p)], 3xp'^{I) U p'^_^{0) ^ p[{I), 

3. for each i G [l,l{p)], PtiO) = 3xp^{0) U p,{I). 

Since for any sequence p of predicate assignments and for any tccp process D.A, p G |/).A]'(e) 
if and only if its 'projection' onto the distinguished predicates / and O generates a reactive 
sequence of D.A, by 1. we can assume without loss of generality that 3xp = 3xp' . From 2., 
the definition of loc{x) and the inductive hypothesis follows that p' (j)A loc{x). Therefore, by 



the previous equality and case 1 of Lemma 4.4 imply that p ^ 3x{(t) A loc{x)) holds. Moreover 



by 3. and by definition of inv{x) we obtain that p \= inv{x) thus proving the thesis for this 
case. 

Rule T5 In this case A\\ B sat x, where x is the formula 

3X, Y{(j)[X/0] A i)[YlO] A par{X, Y)), 

X,Y £ M, X ^Y and X,Y ^ FVicp) U FF(V'). Since the proofs A sat (j) and B sat are 
shorter than the current one, the induction hypothesis says that for every environment e, we 
have that \=e D.A sat (j) and D.B sat i.e. p' \= (j) and p" \= ip for all p' £ |/).j4]'(e) and 
p" £ (D.Bj'ie). 

Let us take a particular e. By Definition |4.3| , we have to prove that p \= x, for all p £ {D.A \\ 
B]'{e). Assume that p £ {D.A \\ B]'(e). By equation E5 of Table | and Definitions ^ and 



O], there exist p' £ lD.Af{e) and p" £ lD.Bf{e) such that l{p) = l{p') = l{p") and for 
each i £ [l,l{p)], pi{I) — p'i{I) — Pi{I) and Pi{0) — Pi{0) U p'^{0). Since for any sequence 
p of predicate assignments and for any tccp process D.A, p £ |/D.A]'(e) if and only if its 
'projection' on the distinguished predicates / and O generates a reactive sequence of D.A, by 
previous observation we can assume without loss of generality that Pi{Z) = p\{Z^ = p'l{Z) for 
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each i € [1, n] and for each Z £ M such that Z ^ O. Now we can construct a new sequence 
p of predicate assignments, of the same length of p, such that Pi(X) = p[{0) PiiY) — p'-{0) 
Pi{Z) = Pi{Z) for each i e and for each Z € M such that Z ^ X,Y. Since X and Y 

are not free in (j) and '0 and by inductive hypothesis p' \= (j) and p" \= -0 holds, by construction 
we obtain that p \= (l)[X/0] and p ^ ■!/;[y/0]. Moreover, by construction p ^ par{X, Y) holds. 



Therefore p ^ (j)[X/0] A '0[^/O] A par{X, Y) and the thesis follows from case 1 of Lemma 4.4 
by observing that 3X, Yp — 3X, Yp. 

Rule T6 In this case hp D.p{x) sat cj). Since the proof D \ {p}.p{x) sat <j> hp D \ {p}-A sat (f> is 
shorter than the current one, the induction hypothesis says that for every environment e such 
that |=e D \ {p}.p{x) sat <j) we also have that |=e D \ {p}.A sat (p. Let us take a particular e. 
We have to show that D.p{x) sat (f) holds or, in other words, that if p G |D.p(a;)](e) then 
we have that p \^ (j). 

Now lD.p{x)lie) = p^, where p^ = U, with /o - and = |I?\{p}.A](e{/,/p}). Thus 
it suffices to prove by induction that for all n, if p G /„ then, p \= (f>. The base case is obvious. 
Suppose that the thesis holds for /„, so for e' = e{fn/p} we have that \=e' D \ {p}.p{x) sat 0, 
holds. Thus we infer that \=e' D\{p}.A sat (f). Since by definition /„+i = \D\{p}.A\{e{fn/p})^ 
we have that if p G fn+i then p \= (j) which completes the proof. 

Rule T7 The proof is immediate. 



Since R{A) = |Z).yl](e) holds for any closed process D.A with e arbitrary, whenever D.A sat (j> we also 
have ^ D.A sat 4>. Hence from the above result, with n = 0, we can derive immediately the soundness 
of the system. 

Corollary 4.6 (Soundness) The proof system consisting of the rules C0-C7 is sound, that is, given a 
closed process D.A, if\-p A sat (j) then \= D.A sat 4> holds, for every correctness assertion D.A sat (p. 

Following the standard notion of completeness for Hoare-style proof systems as introduced by we 
consider here a notion of relative completeness. We assume the existence of a property which describes 
exactly the denotation of a process, that is, we assume that for any process D.A there exists a formula, 
that for the sake of simplicity we denote by 'iJj{A), such that p G R'{A) iff p |= "tpi^A) holds^ This is 
analogous to assume the expressibility of the strongest postcondition of a process P, as with standard 
Hoare-like proof systems. Furthermore, we assume as additional axioms all the valid temporal formulas, 
(for use in the consequence rule). Also this assumption, in general, is needed to obtain completeness of 
Hoare logics. 

Analogously to the previous case, the completeness of the system is a corollary of the following Theorem. 

Theorem 4.7 Let D = {pi(xi) :: Ai, . . . ,p„(a;„) :: An} be a set of declarations and A an agent which 
involves only calls to procedures declared in D. Then we have 

$!,...,$„ hp AsatiJj{A). 

where, for i = 1, . . . ,n, — Pi{xi) sat 'ip{pi{xi));. 

Proof First observe that, for i — 1, . . . , n, we can assume FVconstr{i'{Pi{xi))) = 0. In fact, from the 
definition of [= it follows that p G R'{pi{xi)) if and only if p ip{pi{xi)), for each constraint assignment 
7, and this holds if and only if p ^ '^constr^'ipiixi)), where ^ constri'ipiixi)) is the universal closure over 

^In order to describe recursion, the syntax of the temporal formulas has to be extended with a fixpoint operator of the 
form fj.p{x).ip, where p{x) is supposed to occur positively in <f> and the variable x denotes the formal parameter associated 
with the procedure p (see M). 

The meaning of fip(x).<p is given by a least fixpoint-construction which is defined in terms of the lattice of sets of sequences 
of predicate assignements ordered by set-inclusion. 
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constraint variables of the formula ip{pi{xi)). Therefore we can assume that all the constraint variables 
in ip{pi{xi)) are universally quantified, thus there are no free constraint variables. 

We prove now, by induction on the complexity of A, that $i, ...,$„ hp A sat ip{A) and FVconstri^^i^)) = 



(tell(c)) In this case, since FVconstr{0{c) A yp{0{p) ^q{I{q) AqU c = p)) A QOstut) = 0, we have 
only to prove that 

V'(tell(c)) = 0(c) A yp{0{p) 3q{I{q) AqUc = p)) A QDstut. 



The proof is straightforward, since Definition |3.4 Theorem 4.2 and equation E2 of Table ^ imply 
that the following equalities hold 

i?'(tell(c)) = {p I pi{0) = Uc and p,(0) = p,{I) for i e [2J{p)]}. 

(I]"^]^ask(ci) Ai) By inductive hypothesis we obtain that 

$!,...,$„ hp A, sat -0(A,) and FVconstr{■^P{A^)) = 0, 
for i = 1, 2, . . . , n. Then by rule T2 we obtain also that 

$1, ...,$„ hp A sat (3 

where 

n n n 

f3^\J [{/\ -nlj A stut) U {h A stut A Q-il^iAi))) V □(/\ -./,- A stut), 

i=l j = l j=l 

The inductive hypothesis implies that that 

FVconstriP) = 0- 

Then, in order to prove the thesis we have to show that 

13 = ^(I]r=iask(c,) -> A,) 
holds, that is, we have to prove that p G i?'(I]"^j^ask(c,;) — ^ Ai) if and only if p ^ /3. 



(Only if). Assume that p G R' {T.f^j^ask{ci) Ai). By Theorem U[ equation E4 in Table | and 



Definition 4.1 it follows that p £ Di Li D2 where 



Di = {p- p' \ P]{0) = Pj{I) and Pj{I) 1/ Ci for each j G [1, l{p) — 1], i G [1, n] 

Pi{p){I) ^ Ch, pi(p){0) = pi(p){I) and p' G I-D.^/i]' for an he [l,n]} and 
D2= {p\ pj(0) = pj(/) and pj(/) l/ci for each j G [l,Z(p)],i G [l,n]} 



By definition of ?A(A) and Definition |3.5|, if p' G [i'.A/i]' then p' |= ^^{Ah). Therefore, if p G Di then 
P H (Aj=i ^ stut) U (li A stut A C)^p{Afl)) for an /i G [1, n] which implies p \= f3 hy definition of 
disjunction and of /3. 

If p G D2 then clearly p ^ ^{A]=i ^^i^j) ^ stut) and therefore p ^ f3- This complete the proof of 
the "Only if" part. The proof of the other implication is analogous (by using Di and D2 above) 
and hence omitted. 

(now c then A else B) By inductive hypothesis we obtain 

$1, ...,$„ hp A sat lp{A),^i, ...,$„ hp B sat ^(B) and FVaonstrWA)) = FVcon,tri^{B)) = 0. 

Therefore rule T3 implies that 

hp now c then A else B sat (/(c) A ipiA)) V (-■/(c) A ipiB)). 
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Since the inductive hypothesis imphes also that FVconstr{{I{c) A ip{A)) V {^I{c) A 'ip{B))) = 0, to 
prove the thesis we have only to show that 

(/(c) A i^iA)) V (->/(£) A -0(5)) = i;{now c then A else B) 

hold, that is, we have to show that p G i?'(now c then A else B) if and only if p ^ {1(c) Aip{A)) V 
(-i/(c) A ip{B)). The proof is straig htfor ward, by observing that from the definition of ijj{A) and 
tp{B), from Definition 3^, Theorem O, equation E4 of Table ^ and Definition 11 it follows the 
following equality 

i?'(now c then A else B) = {p | /9i(/) h c and p ^ ip{A)}U 

{p' \p[{I)Vc^nd p'hi^iB)}. 

{3xA) The inductive hypothesis implies that 

$1, ...,$„ hp A sat ^P{A) and FV;onstr(V'(^)) = 
and therefore, by rule T4, we obtain that 

$1, ...,$„ hp A sat 3x(V'(A) A /oc(x)) A inv{x). 
From the inductive hypothesis and the definitions of loc{x) and of inv{x), we obtain that 

FVconstriMi'i^) A loc{x)) A inv{x)) = 0. (1) 
In order to prove the thesis, we have then to show that 

3x{ip{A) A loc{x)) A inv{x) = ^{3xA), 
holds, that is, we have to prove that p G R'{3xA) if and only if p ^ 3x{'4>{A) A loc{x)) A inv{x). 



Assume now that p e R'{3xA). Definition |3.5| , Theorem 4.2, equation E6 of Table |3|, Definition [4.1| 
and the definition of i^iA) imply that there exists p' such that p' ^ i^{A), l{p) ~ l{p') and the 
following conditions hold: 

1. for each i £ [l,l{p)], 3xpi{I) = 3xp[{I) and 3xpi{0) = 3xp[{0)] 

2. 3xp'^{I) = p',{I) and for each i G [2, l{p)l 3xp[{I) U p[_^{0) = p',{I)- 

3. for each i G [l,Z(p)], p«(0) = 3xp,{0) U p,{I). 

Now the proof is analogous to that one already given for the case of Rule T4 of Theorem 
Conversely, assume that p |= 3x{'il){A) A loc{x)) A inv{x). Then the following facts hold: 

1. p 1= inv(x). Therefore, by definition of inv(x), for each i G [l,^(p)] the following holds 

p,(0) = 3a:p,(0)Up,(/); (2) 

2. p \= 3x{tp{A) A loc{x)). Then, from case 2 of Lemma ff.4| and (0) we obtain that p' \= 
tjj{A) A loc{x) for some p' such that 

3xp' — 3xp. (3) 
Since p' \= ipiA) A loc{x), from the definition of ■ip{A) and of loc{x) it follows that 

p' G R'{A) and (4) 
= P'lil) and for each t G [2,Z(p)], 3a;pK/) U p',_,{0) = p[il). (5) 

From Definition [sj. Theorem equation E6 of Table |, Definition |4^, @, (|), |) and (|), it 
follows that p G R'{3xA) and therefore the thesis holds. 
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{Ai II A2) By inductive hypothesis we obtain that 

$1, ...,$„ hp Ai sat ij{Ai) and FVconstrWA^)) = 0, 

for i — 1,2. Then by rule T5 we obtain also that 

$!,...,$„ hp A sat 3X,Yi^{Ai)[X/0]AijiA2)[Y/0] ApariX,Y)), 

where X,Y ^ FV{^p{Ai)) U FV{^p{A2)) and X ^Y. 

The inductive hypothesis and the definition of par{X,Y) imply that 

FVconM^X,Y{^{Ai)[X/0]A^P{A2)[Y/0]Apar{X,Y)) - 0. (6) 

Then, in order to prove the thesis we have to show that 

3X,Y{^{Ai)[X/0] Aib{A2)[Y/0] Apar{X,Y)) = ^{Ai \\ A2), 

holds, that is, we have to prove that p e R'{Ai \\ A2) if and only if p |= 3X,Y{^{Ai)[X/0] A 
iljiA2)[Y/0] ApariX,Y)). 

Assume that p e R'{Ai 11^2)- By Definition |3^, Theorem equation E4 in Table || and 
Definition |t| it follows that there exist p' e R'{Ai) and p" e R'{A2) such that l{p) = l{p') = l{p") 
and, for each i e [l,/(p)], p^iI) = p'.il) = p^I) and p,(0) = p,^(0) U p,^(0) hold. Since p' S R'{Ai), 
the definition of ^{Ai) implies that p' |= tp{Ai). Analogously we have that p" \= iIj{A2). Now the 
proof is analogous to that one already shown for the case of Rule T5 in the proof of Lemma |4.5| . 

Conversely, assume that p \= 3X, Y{tp{Ai)[X/0]Aip{A2)[Y/0] Apar{X, Y)). We have to prove that 
p £ R'{Ai II A2). By case 2 of Lemma 4.4 and there exists a sequence of predicate assignments 
p such that 3X, Yp = 3X, Yp and p ^ 'iJj{Ai)[X/0] A 'iJj{A2)[Y/0] A par{X, Y). 

We can now construct two new sequences p' and p" of predicate assignments having the same length 
as p, such that, for each i G [1, l{p)], 

piiO) = p,iX), p'l{0) - p^{Y) and p[{Z) = p'l{Z) = p,(Z), for each Z e M, Z^O. (7) 

Since X,Y ^ FV{'ip{Ai))\JFV{'ii){A2)) and X / F, by construction it follows that p' |= V(^i) and 
p" ^ ip{A2). Therefore, by definition of '4!{A), 

p' e R'{Ai) and p" e R'{A2). (8) 

Moreover, since p \= par{X, Y), again by construction we obtain that, for i G [1, l{p)\, 

MO)^p[{0)Up'l{0) (9) 

holds. From Definition Theorem equation E4 in Table |, Definition |t], (g), (|) and (|) 
it follows that p e R'{Ai \\ A2). Observe now that, by definition, for any sequence p of predicate 
assignments and for any tccp process ^, p G R'{^) if and only if its 'projection' on the distinguished 
predicates / and O generates a reactive sequence of R{A). Hence, since 3X,Yp — 3X,Yp and 
p G R'{Ai II A2), we have that p G R'{Ai \\ A2) and therefore the thesis holds. 

{A — p{y)) Immediate. 



From the above Theorem we derive the following corollary: 



Corollary 4.8 (Completeness) Let D = {pi{xi) :: Ai, . . . ,p„(x„) :: An} and An+i be an agent such 
that Ai, for 1 < i < n+l, only involves calls to procedures declared in D. R follows that \= D.An+i sat 4> 
implies hp D.An+i sat 4>. 
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Proof By the above lemma we have for i = 1, . . . ,n that 

$1, . . . , $„ hp A, sat tP{D.p,{x,)) 

where ~ Pi{xi) sat 4'{D.pi{xi)) (note that ilj{D.Ai) ~ %Ij{D .pi{xi))). Now a repeated apphcation of 
the recursion rule gives us hp D.pi{xi) sat il){D .pi{xi)) . Again by the above lemma we have that 

$!,...,$„ hp An+l sat Tp{D.An+l) 

It follows by a straightforward induction on the length of the derivation (which does not involve applica- 
tions of the recursion rule) that 

. . . , $'„ hp D.Ar,+i sat i;{D.A„+i) 

where $^ = D.pi{xi) sat tp{D.pi{xi)), i = 1, . . . ,n. So, since hp i — 1, . . . ,7i, we thus derive that 
hp D.An^i sat il){D .An^i). Assume now that ^ D.An+i sat (p. Then 1= 'ip{D .An+i) (j) holds and an 
application of C7 gives us hp D.An+i sat (p. 



The formula '0(A) (analogous to the strongest postcondition) has been used to prove completeness. 
However, often to prove a property of a program it is sufhcient to deal with some simpler property. The 
situation can be compared to the problem of finding the suitable invariant when using the standard Hoare 
systems for imperative programming. 

5 Related and future work 

We introduced a temporal logic for reasoning about the correctness of a timed extension of ccp and we 
proved the soundness and completeness of a related proof system. 

A simpler temporal logic for tccp has been defined in ||] by considering epistemic operators of "belief" 
and "knowledge" which corresponds to the operators / and O considered in the present paper. Even 
though the intuitive ideas of the two papers are similar, the technical treatment is different. In fact, the 
logic in 1^ is less expressive than the present one, since it does not allow constraint (predicate) variables. 
As a consequence, the proof system defined in Q was not complete. 

Recently, a logic for a different timed extension of ccp, called ntcc, has been presented in |Q. The 
language ntcc ^ is a non deterministic extension of the timed ccp language defined in . Its com- 
putational model, and therefore the underlying logic, are rather different from those that we considered. 
Analogously to the case of the ESTEREL language, computation in ntcc (and in the language defined in 
) proceeds in "bursts of activity" : in each phase a ccp process is executed to produce a response to 
an input provided by the environment. The process accumulates monotonically information in the store, 
according to the standard ccp computational model, until it reaches a "resting point", i.e. a terminal 
state in which no more information can be generated. When the resting point is reached, the absence of 
events can be checked and it can trigger actions in the next time interval. Thus, each time interval is 
identified with the time needed for a ccp process to terminate a computation. Clearly, in order to ensure 
that the next time instant is reached, the ccp process has to be always terminating, thus it is assumed 
that it does not contain recursion (a restricted form of recursion is allowed only across time boundaries). 
Furthermore, the programmer has to transfer explicitly the all information from a time instant to the 
next one by using special primitives, since at the end of a time interval all the constraints accumulated 
and all the processes suspended are discarded, unless they are argument to a specific primitive. These 
assumptions allow to obtain an elegant semantic model consisting of sequences of sets of resting points 
(each set describing the behavior at a time instant). 

On the other hand, the tccp language that we consider has a different notion of time, since each time-unit 
is identified with the time needed for the underlying constraint system to accumulate the tell's and to 
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answer the ask's issued at each computation step by the processes of the system. This assumption ahows 
us to obtain a direct timed extension of ccp which maintain the essential features of ccp computations. 
No restriction on recursion is needed to ensure that the next time instant is reached, since at each time 
instant there are only a finite number of parallel agents which can perform a finite number of (ask and 
tell) actions. Also, no explicit transfer of information across time boundaries is needed in tccp, since the 
(monotonic) evolution of the store is the same as in ccp (these differences affects the expressive power 
of the language, see |^ for a detailed discussion). Since the store grows monotonically, some syntactic 
restrictions are needed also in tccp in order to obtain bounded response time, that is, to be able to 
statically determine the maximal length of each time-unit (see Q ) . 

/.From a logical point of view, as shown in Q the set of resting points of a ccp process characterizes essen- 
tially the strongest post condition of the program (the characterization however is exact only for a certain 
class of programs). In [p^ this logical view is integrated with (linear) temporal logic constructs which are 
interpreted in terms of sequences of sets of resting points, thus taking into account the temporal evolution 
of the system. A proof system for proving the resulting linear temporal properties is also defined in p^ . 
Since the resting points provide a compositional model (describing the final results of computations), in 
this approach there is no need for a semantic and logical representation of "assumptions" . On the other 
hand such a need arises when one wants to describe the input/output behavior of a process, which for 
generic (non deterministic) processes cannot be obtained from the resting points. Since tccp maintains 
essentially the ccp computational model, at each time instant rather than a set of final results (i.e. a set 
of resting points) we have an input/ouput behavior corresponding to the interaction of the environment, 
which provides the input, with the process, which produces the output. This is reflected in the the logic 
we have defined. 

Related to the present paper is also | |T^ , where tec specifications are represented in terms of graph 
structures in order to apply model checking techniques. A finite interval of time (introduced by the user) 
is considered in order to obtain a finite behavior of the tec program, thus allowing the application of 
existing model checking algorithms. 

Future work concerns the investigation of an axiomatization for the temporal logic introduced in this 
paper and the possibility of obtaining decision procedures, for example considering a semantic tableaux 
method. Since reactive sequences have been used also in the semantics of several other languages, including 
dataflow and imperative ones j2^, ^, |l^ , we plan also to consider extensions of our logic to deal with 
these different languages. 
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